From 608c9a76d0f4faf81de7cd1d07a33ecea6c4f5056beebbf41a467684ea3dc60a Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 3 Mar 2009 21:42:45 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=25 --- openssh-5.1p1-strnvis.diff | 17 ----- openssh-5.1p1.tar.bz2 | 3 - ...fix.diff => openssh-5.2p1-askpass-fix.diff | 0 ...1-audit.patch => openssh-5.2p1-audit.patch | 30 ++++----- ...rm.diff => openssh-5.2p1-blocksigalrm.diff | 0 ...iff => openssh-5.2p1-default-protocol.diff | 2 +- ...5.1p1-eal3.diff => openssh-5.2p1-eal3.diff | 14 ++-- ...engines.diff => openssh-5.2p1-engines.diff | 28 ++++---- ...rwards.diff => openssh-5.2p1-forwards.diff | 4 +- ...c-fix.patch => openssh-5.2p1-gcc-fix.patch | 0 ...tm.patch => openssh-5.2p1-gssapimitm.patch | 35 +++++----- ...m-fix2.diff => openssh-5.2p1-pam-fix2.diff | 0 ...m-fix3.diff => openssh-5.2p1-pam-fix3.diff | 0 ...m-fix4.diff => openssh-5.2p1-pam-fix4.diff | 8 +-- ...h-5.1p1-pts.diff => openssh-5.2p1-pts.diff | 0 ...ix.diff => openssh-5.2p1-saveargv-fix.diff | 4 +- ...ale.diff => openssh-5.2p1-send_locale.diff | 3 +- ...1-tmpdir.diff => openssh-5.2p1-tmpdir.diff | 0 ...1p1-xauth.diff => openssh-5.2p1-xauth.diff | 2 +- ...f => openssh-5.2p1-xauthlocalhostname.diff | 14 ++-- openssh-5.1p1.dif => openssh-5.2p1.dif | 0 openssh-5.2p1.tar.bz2 | 3 + openssh-askpass-gnome.changes | 5 ++ openssh-askpass-gnome.spec | 10 +-- openssh.changes | 54 +++++++++++++++ openssh.spec | 65 ++++++++++++++++--- 26 files changed, 198 insertions(+), 103 deletions(-) delete mode 100644 openssh-5.1p1-strnvis.diff delete mode 100644 openssh-5.1p1.tar.bz2 rename openssh-5.1p1-askpass-fix.diff => openssh-5.2p1-askpass-fix.diff (100%) rename openssh-5.1p1-audit.patch => openssh-5.2p1-audit.patch (92%) rename openssh-5.1p1-blocksigalrm.diff => openssh-5.2p1-blocksigalrm.diff (100%) rename openssh-5.1p1-default-protocol.diff => openssh-5.2p1-default-protocol.diff (73%) rename openssh-5.1p1-eal3.diff => openssh-5.2p1-eal3.diff (84%) rename openssh-5.1p1-engines.diff => openssh-5.2p1-engines.diff (87%) rename openssh-5.1p1-forwards.diff => openssh-5.2p1-forwards.diff (87%) rename openssh-5.1p1-gcc-fix.patch => openssh-5.2p1-gcc-fix.patch (100%) rename openssh-5.1p1-gssapimitm.patch => openssh-5.2p1-gssapimitm.patch (95%) rename openssh-5.1p1-pam-fix2.diff => openssh-5.2p1-pam-fix2.diff (100%) rename openssh-5.1p1-pam-fix3.diff => openssh-5.2p1-pam-fix3.diff (100%) rename openssh-5.1p1-pam-fix4.diff => openssh-5.2p1-pam-fix4.diff (87%) rename openssh-5.1p1-pts.diff => openssh-5.2p1-pts.diff (100%) rename openssh-5.1p1-saveargv-fix.diff => openssh-5.2p1-saveargv-fix.diff (91%) rename openssh-5.1p1-send_locale.diff => openssh-5.2p1-send_locale.diff (95%) rename openssh-5.1p1-tmpdir.diff => openssh-5.2p1-tmpdir.diff (100%) rename openssh-5.1p1-xauth.diff => openssh-5.2p1-xauth.diff (97%) rename openssh-5.1p1-xauthlocalhostname.diff => openssh-5.2p1-xauthlocalhostname.diff (91%) rename openssh-5.1p1.dif => openssh-5.2p1.dif (100%) create mode 100644 openssh-5.2p1.tar.bz2 diff --git a/openssh-5.1p1-strnvis.diff b/openssh-5.1p1-strnvis.diff deleted file mode 100644 index ccae325..0000000 --- a/openssh-5.1p1-strnvis.diff +++ /dev/null @@ -1,17 +0,0 @@ ---- sshconnect2.c -+++ sshconnect2.c -@@ -387,11 +387,11 @@ - debug3("input_userauth_banner"); - raw = packet_get_string(&len); - lang = packet_get_string(NULL); -- if (options.log_level >= SYSLOG_LEVEL_INFO) { -+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) { - if (len > 65536) - len = 65536; -- msg = xmalloc(len * 4); /* max expansion from strnvis() */ -- strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL); -+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */ -+ strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH); - fprintf(stderr, "%s", msg); - xfree(msg); - } diff --git a/openssh-5.1p1.tar.bz2 b/openssh-5.1p1.tar.bz2 deleted file mode 100644 index 295527f..0000000 --- a/openssh-5.1p1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bbe533aa4d2d083011035e3b63e558eaf8db83f7b062410a2035aeb822904472 -size 835720 diff --git a/openssh-5.1p1-askpass-fix.diff b/openssh-5.2p1-askpass-fix.diff similarity index 100% rename from openssh-5.1p1-askpass-fix.diff rename to openssh-5.2p1-askpass-fix.diff diff --git a/openssh-5.1p1-audit.patch b/openssh-5.2p1-audit.patch similarity index 92% rename from openssh-5.1p1-audit.patch rename to openssh-5.2p1-audit.patch index fe26cf3..c65487f 100644 --- a/openssh-5.1p1-audit.patch +++ b/openssh-5.2p1-audit.patch @@ -1,7 +1,7 @@ # add support for Linux audit (FATE #120269) ================================================================================ ---- openssh-5.1p1/Makefile.in -+++ openssh-5.1p1/Makefile.in +--- openssh-5.2p1/Makefile.in ++++ openssh-5.2p1/Makefile.in @@ -44,6 +44,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ @@ -19,8 +19,8 @@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ---- openssh-5.1p1/auth.c -+++ openssh-5.1p1/auth.c +--- openssh-5.2p1/auth.c ++++ openssh-5.2p1/auth.c @@ -287,6 +287,12 @@ get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif @@ -45,9 +45,9 @@ #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ ---- openssh-5.1p1/config.h.in -+++ openssh-5.1p1/config.h.in -@@ -1388,6 +1388,9 @@ +--- openssh-5.2p1/config.h.in ++++ openssh-5.2p1/config.h.in +@@ -1397,6 +1397,9 @@ /* Define if you want SELinux support. */ #undef WITH_SELINUX @@ -57,9 +57,9 @@ /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #undef WORDS_BIGENDIAN ---- openssh-5.1p1/configure.ac -+++ openssh-5.1p1/configure.ac -@@ -3314,6 +3314,20 @@ +--- openssh-5.2p1/configure.ac ++++ openssh-5.2p1/configure.ac +@@ -3340,6 +3340,20 @@ fi ] ) @@ -80,7 +80,7 @@ # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4134,6 +4148,7 @@ +@@ -4160,6 +4174,7 @@ echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -88,8 +88,8 @@ echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" ---- openssh-5.1p1/loginrec.c -+++ openssh-5.1p1/loginrec.c +--- openssh-5.2p1/loginrec.c ++++ openssh-5.2p1/loginrec.c @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -174,8 +174,8 @@ /** ** Low-level libutil login() functions **/ ---- openssh-5.1p1/loginrec.h -+++ openssh-5.1p1/loginrec.h +--- openssh-5.2p1/loginrec.h ++++ openssh-5.2p1/loginrec.h @@ -127,5 +127,9 @@ char *line_abbrevname(char *dst, const char *src, int dstsize); diff --git a/openssh-5.1p1-blocksigalrm.diff b/openssh-5.2p1-blocksigalrm.diff similarity index 100% rename from openssh-5.1p1-blocksigalrm.diff rename to openssh-5.2p1-blocksigalrm.diff diff --git a/openssh-5.1p1-default-protocol.diff b/openssh-5.2p1-default-protocol.diff similarity index 73% rename from openssh-5.1p1-default-protocol.diff rename to openssh-5.2p1-default-protocol.diff index cefb1ad..4fe68b5 100644 --- a/openssh-5.1p1-default-protocol.diff +++ b/openssh-5.2p1-default-protocol.diff @@ -7,5 +7,5 @@ -# Protocol 2,1 + Protocol 2 # Cipher 3des - # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc + # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 diff --git a/openssh-5.1p1-eal3.diff b/openssh-5.2p1-eal3.diff similarity index 84% rename from openssh-5.1p1-eal3.diff rename to openssh-5.2p1-eal3.diff index 001113a..f522b9f 100644 --- a/openssh-5.1p1-eal3.diff +++ b/openssh-5.2p1-eal3.diff @@ -1,6 +1,6 @@ ---- openssh-5.1p1/sshd.8 -+++ openssh-5.1p1/sshd.8 -@@ -785,7 +785,7 @@ +--- openssh-5.2p1/sshd.8 ++++ openssh-5.2p1/sshd.8 +@@ -783,7 +783,7 @@ The file format is described in .Xr moduli 5 . .Pp @@ -9,7 +9,7 @@ See .Xr motd 5 . .Pp -@@ -798,7 +798,7 @@ +@@ -796,7 +796,7 @@ refused. The file should be world-readable. .Pp @@ -18,7 +18,7 @@ This file is used in exactly the same way as .Pa hosts.equiv , but allows host-based authentication without permitting login with -@@ -875,8 +875,7 @@ +@@ -873,8 +873,7 @@ .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , @@ -28,8 +28,8 @@ .Xr sshd_config 5 , .Xr inetd 8 , .Xr sftp-server 8 ---- openssh-5.1p1/sshd_config.5 -+++ openssh-5.1p1/sshd_config.5 +--- openssh-5.2p1/sshd_config.5 ++++ openssh-5.2p1/sshd_config.5 @@ -177,9 +177,6 @@ By default, no banner is displayed. .It Cm ChallengeResponseAuthentication diff --git a/openssh-5.1p1-engines.diff b/openssh-5.2p1-engines.diff similarity index 87% rename from openssh-5.1p1-engines.diff rename to openssh-5.2p1-engines.diff index 841fa60..443c191 100644 --- a/openssh-5.1p1-engines.diff +++ b/openssh-5.2p1-engines.diff @@ -1,5 +1,5 @@ ---- openssh-5.1p1/ssh-add.c -+++ openssh-5.1p1/ssh-add.c +--- openssh-5.2p1/ssh-add.c ++++ openssh-5.2p1/ssh-add.c @@ -43,6 +43,7 @@ #include @@ -19,8 +19,8 @@ /* At first, get a connection to the authentication agent. */ ac = ssh_get_authentication_connection(); if (ac == NULL) { ---- openssh-5.1p1/ssh-agent.c -+++ openssh-5.1p1/ssh-agent.c +--- openssh-5.2p1/ssh-agent.c ++++ openssh-5.2p1/ssh-agent.c @@ -52,6 +52,7 @@ #include #include @@ -40,8 +40,8 @@ __progname = ssh_get_progname(av[0]); init_rng(); seed_rng(); ---- openssh-5.1p1/ssh-keygen.c -+++ openssh-5.1p1/ssh-keygen.c +--- openssh-5.2p1/ssh-keygen.c ++++ openssh-5.2p1/ssh-keygen.c @@ -22,6 +22,7 @@ #include #include @@ -62,8 +62,8 @@ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); init_rng(); ---- openssh-5.1p1/ssh-keysign.c -+++ openssh-5.1p1/ssh-keysign.c +--- openssh-5.2p1/ssh-keysign.c ++++ openssh-5.2p1/ssh-keysign.c @@ -38,6 +38,7 @@ #include #include @@ -84,8 +84,8 @@ for (i = 0; i < 256; i++) rnd[i] = arc4random(); RAND_seed(rnd, sizeof(rnd)); ---- openssh-5.1p1/ssh.c -+++ openssh-5.1p1/ssh.c +--- openssh-5.2p1/ssh.c ++++ openssh-5.2p1/ssh.c @@ -73,6 +73,7 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -94,7 +94,7 @@ #include "xmalloc.h" #include "ssh.h" -@@ -562,6 +563,10 @@ +@@ -550,6 +551,10 @@ SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); @@ -105,8 +105,8 @@ /* Initialize the command to execute on remote host. */ buffer_init(&command); ---- openssh-5.1p1/sshd.c -+++ openssh-5.1p1/sshd.c +--- openssh-5.2p1/sshd.c ++++ openssh-5.2p1/sshd.c @@ -77,6 +77,7 @@ #include #include @@ -115,7 +115,7 @@ #ifdef HAVE_SECUREWARE #include -@@ -1416,6 +1417,10 @@ +@@ -1415,6 +1416,10 @@ SSLeay_add_all_algorithms(); diff --git a/openssh-5.1p1-forwards.diff b/openssh-5.2p1-forwards.diff similarity index 87% rename from openssh-5.1p1-forwards.diff rename to openssh-5.2p1-forwards.diff index bb69f61..ad3d422 100644 --- a/openssh-5.1p1-forwards.diff +++ b/openssh-5.2p1-forwards.diff @@ -1,8 +1,8 @@ --- channels.c +++ channels.c -@@ -2418,6 +2418,9 @@ - const char *host, *addr; +@@ -2471,6 +2471,9 @@ char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + in_port_t *lport_p; + if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) + fatal("channel_setup_fwd_listener: too many forwards"); diff --git a/openssh-5.1p1-gcc-fix.patch b/openssh-5.2p1-gcc-fix.patch similarity index 100% rename from openssh-5.1p1-gcc-fix.patch rename to openssh-5.2p1-gcc-fix.patch diff --git a/openssh-5.1p1-gssapimitm.patch b/openssh-5.2p1-gssapimitm.patch similarity index 95% rename from openssh-5.1p1-gssapimitm.patch rename to openssh-5.2p1-gssapimitm.patch index b8539fe..05e55fc 100644 --- a/openssh-5.1p1-gssapimitm.patch +++ b/openssh-5.2p1-gssapimitm.patch @@ -52,16 +52,16 @@ Index: auth2-gss.c extern Authmethod method_gssapi; +extern Authmethod method_gssapi_old; #endif - - Authmethod *authmethods[] = { -@@ -77,6 +78,7 @@ + #ifdef JPAKE + extern Authmethod method_jpake; +@@ -80,6 +81,7 @@ &method_pubkey, #ifdef GSSAPI &method_gssapi, + &method_gssapi_old, #endif - &method_passwd, - &method_kbdint, + #ifdef JPAKE + &method_jpake, --- readconf.c +++ readconf.c @@ -126,7 +126,7 @@ @@ -85,7 +85,7 @@ Index: auth2-gss.c #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -447,6 +449,10 @@ +@@ -456,6 +458,10 @@ case oGssDelegateCreds: intptr = &options->gss_deleg_creds; goto parse_flag; @@ -96,7 +96,7 @@ Index: auth2-gss.c case oBatchMode: intptr = &options->batch_mode; -@@ -1017,6 +1023,7 @@ +@@ -1009,6 +1015,7 @@ options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -104,7 +104,7 @@ Index: auth2-gss.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1108,6 +1115,8 @@ +@@ -1101,6 +1108,8 @@ options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -133,7 +133,7 @@ Index: auth2-gss.c options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -211,6 +212,8 @@ +@@ -212,6 +213,8 @@ options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) options->gss_cleanup_creds = 1; @@ -142,7 +142,7 @@ Index: auth2-gss.c if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -299,7 +302,7 @@ +@@ -302,7 +305,7 @@ sBanner, sUseDNS, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, @@ -150,8 +150,8 @@ Index: auth2-gss.c + sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssEnableMITM, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sDeprecated, sUnsupported -@@ -360,9 +363,11 @@ + sZeroKnowledgePasswordAuthentication, +@@ -364,9 +367,11 @@ #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -163,7 +163,7 @@ Index: auth2-gss.c #endif { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, -@@ -885,6 +890,10 @@ +@@ -894,6 +899,10 @@ case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; @@ -186,7 +186,7 @@ Index: auth2-gss.c int kbd_interactive_authentication; /* If true, permit */ --- ssh_config +++ ssh_config -@@ -54,3 +54,13 @@ +@@ -54,4 +54,14 @@ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no @@ -200,10 +200,11 @@ Index: auth2-gss.c +# GSSAPIEnableMITMAttack no + +>>>>>>> + # VisualHostKey no --- sshconnect2.c +++ sshconnect2.c -@@ -246,6 +246,10 @@ - userauth_gssapi, +@@ -255,6 +255,10 @@ + NULL, &options.gss_authentication, NULL}, + {"gssapi", @@ -213,7 +214,7 @@ Index: auth2-gss.c #endif {"hostbased", userauth_hostbased, -@@ -587,7 +591,9 @@ +@@ -617,7 +621,9 @@ if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ diff --git a/openssh-5.1p1-pam-fix2.diff b/openssh-5.2p1-pam-fix2.diff similarity index 100% rename from openssh-5.1p1-pam-fix2.diff rename to openssh-5.2p1-pam-fix2.diff diff --git a/openssh-5.1p1-pam-fix3.diff b/openssh-5.2p1-pam-fix3.diff similarity index 100% rename from openssh-5.1p1-pam-fix3.diff rename to openssh-5.2p1-pam-fix3.diff diff --git a/openssh-5.1p1-pam-fix4.diff b/openssh-5.2p1-pam-fix4.diff similarity index 87% rename from openssh-5.1p1-pam-fix4.diff rename to openssh-5.2p1-pam-fix4.diff index ece7ea1..513f3df 100644 --- a/openssh-5.1p1-pam-fix4.diff +++ b/openssh-5.2p1-pam-fix4.diff @@ -1,8 +1,8 @@ Index: openssh-5.1p1/auth-pam.c -=================================================================== ---- openssh-5.1p1.orig/auth-pam.c -+++ openssh-5.1p1/auth-pam.c -@@ -602,16 +602,16 @@ sshpam_cleanup(void) +================================================================================ +--- openssh-5.2p1/auth-pam.c ++++ openssh-5.2p1/auth-pam.c +@@ -602,16 +602,16 @@ return; debug("PAM: cleanup"); pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); diff --git a/openssh-5.1p1-pts.diff b/openssh-5.2p1-pts.diff similarity index 100% rename from openssh-5.1p1-pts.diff rename to openssh-5.2p1-pts.diff diff --git a/openssh-5.1p1-saveargv-fix.diff b/openssh-5.2p1-saveargv-fix.diff similarity index 91% rename from openssh-5.1p1-saveargv-fix.diff rename to openssh-5.2p1-saveargv-fix.diff index 781681d..eca9660 100644 --- a/openssh-5.1p1-saveargv-fix.diff +++ b/openssh-5.2p1-saveargv-fix.diff @@ -1,6 +1,6 @@ --- sshd.c +++ sshd.c -@@ -305,6 +305,7 @@ +@@ -304,6 +304,7 @@ static void sighup_restart(void) { @@ -8,7 +8,7 @@ logit("Received SIGHUP; restarting."); close_listen_socks(); close_startup_pipes(); -@@ -1270,7 +1271,11 @@ +@@ -1269,7 +1270,11 @@ #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ compat_init_setproctitle(ac, av); diff --git a/openssh-5.1p1-send_locale.diff b/openssh-5.2p1-send_locale.diff similarity index 95% rename from openssh-5.1p1-send_locale.diff rename to openssh-5.2p1-send_locale.diff index ddfce1a..4ba968f 100644 --- a/openssh-5.1p1-send_locale.diff +++ b/openssh-5.2p1-send_locale.diff @@ -1,6 +1,6 @@ --- ssh_config +++ ssh_config -@@ -63,4 +63,7 @@ +@@ -63,5 +63,8 @@ # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no @@ -9,6 +9,7 @@ +SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +SendEnv LC_IDENTIFICATION LC_ALL + # VisualHostKey no --- sshd_config +++ sshd_config @@ -119,6 +119,11 @@ diff --git a/openssh-5.1p1-tmpdir.diff b/openssh-5.2p1-tmpdir.diff similarity index 100% rename from openssh-5.1p1-tmpdir.diff rename to openssh-5.2p1-tmpdir.diff diff --git a/openssh-5.1p1-xauth.diff b/openssh-5.2p1-xauth.diff similarity index 97% rename from openssh-5.1p1-xauth.diff rename to openssh-5.2p1-xauth.diff index 0fea6db..aa05b94 100644 --- a/openssh-5.1p1-xauth.diff +++ b/openssh-5.2p1-xauth.diff @@ -1,6 +1,6 @@ --- session.c +++ session.c -@@ -2487,8 +2487,41 @@ +@@ -2493,8 +2493,41 @@ session_close(Session *s) { u_int i; diff --git a/openssh-5.1p1-xauthlocalhostname.diff b/openssh-5.2p1-xauthlocalhostname.diff similarity index 91% rename from openssh-5.1p1-xauthlocalhostname.diff rename to openssh-5.2p1-xauthlocalhostname.diff index dadf833..8474da8 100644 --- a/openssh-5.1p1-xauthlocalhostname.diff +++ b/openssh-5.2p1-xauthlocalhostname.diff @@ -1,6 +1,6 @@ --- session.c +++ session.c -@@ -1104,7 +1104,7 @@ +@@ -1110,7 +1110,7 @@ } static char ** @@ -9,7 +9,7 @@ { char buf[256]; u_int i, envsize; -@@ -1291,6 +1291,8 @@ +@@ -1297,6 +1297,8 @@ for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -18,7 +18,7 @@ return env; } -@@ -1299,7 +1301,7 @@ +@@ -1305,7 +1307,7 @@ * first in this order). */ static void @@ -27,7 +27,7 @@ { FILE *f = NULL; char cmd[1024]; -@@ -1353,12 +1355,20 @@ +@@ -1359,12 +1361,20 @@ options.xauth_location); f = popen(cmd, "w"); if (f) { @@ -48,7 +48,7 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1644,6 +1654,7 @@ +@@ -1650,6 +1660,7 @@ { extern char **environ; char **env; @@ -56,7 +56,7 @@ char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; -@@ -1710,7 +1721,7 @@ +@@ -1716,7 +1727,7 @@ * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -65,7 +65,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1778,7 +1789,7 @@ +@@ -1784,7 +1795,7 @@ closefrom(STDERR_FILENO + 1); if (!options.use_login) diff --git a/openssh-5.1p1.dif b/openssh-5.2p1.dif similarity index 100% rename from openssh-5.1p1.dif rename to openssh-5.2p1.dif diff --git a/openssh-5.2p1.tar.bz2 b/openssh-5.2p1.tar.bz2 new file mode 100644 index 0000000..7dba649 --- /dev/null +++ b/openssh-5.2p1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5de561b64b659e21d66b4f1c04690e94f922f3f5fb3f070e81fbd8f9f4403de8 +size 816819 diff --git a/openssh-askpass-gnome.changes b/openssh-askpass-gnome.changes index 2c77555..bda8a75 100644 --- a/openssh-askpass-gnome.changes +++ b/openssh-askpass-gnome.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Feb 23 17:27:22 CET 2009 - anicka@suse.cz + +- update to 5.2p1 + ------------------------------------------------------------------- Wed Apr 9 14:35:42 CEST 2008 - anicka@suse.cz diff --git a/openssh-askpass-gnome.spec b/openssh-askpass-gnome.spec index 9cbf7ae..a8a6f5c 100644 --- a/openssh-askpass-gnome.spec +++ b/openssh-askpass-gnome.spec @@ -1,7 +1,7 @@ # -# spec file for package openssh-askpass-gnome (Version 5.1p1) +# spec file for package openssh-askpass-gnome (Version 5.2p1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,8 +22,8 @@ Name: openssh-askpass-gnome BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files License: BSD 3-Clause Group: Productivity/Networking/SSH -Version: 5.1p1 -Release: 41 +Version: 5.2p1 +Release: 1 Requires: openssh = %{version} openssh-askpass = %{version} AutoReqProv: on Summary: A GNOME-Based Passphrase Dialog for OpenSSH @@ -118,6 +118,8 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) /usr/%_lib/ssh/gnome-ssh-askpass %changelog +* Mon Feb 23 2009 anicka@suse.cz +- update to 5.2p1 * Wed Apr 09 2008 anicka@suse.cz - update to 5.0p1 * Wed Apr 02 2008 anicka@suse.cz diff --git a/openssh.changes b/openssh.changes index 216676e..ae755c3 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Mon Feb 23 17:27:45 CET 2009 - anicka@suse.cz + +- update to 5.2p1 + * This release changes the default cipher order to prefer the AES CTR + modes and the revised "arcfour256" mode to CBC mode ciphers that are + susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". + * This release also adds countermeasures to mitigate CPNI-957037-style + attacks against the SSH protocol's use of CBC-mode ciphers. Upon + detection of an invalid packet length or Message Authentication + Code, ssh/sshd will continue reading up to the maximum supported + packet length rather than immediately terminating the connection. + This eliminates most of the known differences in behaviour that + leaked information about the plaintext of injected data which formed + the basis of this attack. We believe that these attacks are rendered + infeasible by these changes. + * Added a -y option to ssh(1) to force logging to syslog rather than + stderr, which is useful when running daemonised (ssh -f) + * The sshd_config(5) ForceCommand directive now accepts commandline + arguments for the internal-sftp server. + * The ssh(1) ~C escape commandline now support runtime creation of + dynamic (-D) port forwards. + * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. + (bz#1482) + * Support remote port forwarding with a listen port of '0'. This + informs the server that it should dynamically allocate a listen + port and report it back to the client. (bz#1003) + * sshd(8) now supports setting PermitEmptyPasswords and + AllowAgentForwarding in Match blocks + * Repair a ssh(1) crash introduced in openssh-5.1 when the client is + sent a zero-length banner (bz#1496) + * Due to interoperability problems with certain + broken SSH implementations, the eow@openssh.com and + no-more-sessions@openssh.com protocol extensions are now only sent + to peers that identify themselves as OpenSSH. + * Make ssh(1) send the correct channel number for + SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to + avoid triggering 'Non-public channel' error messages on sshd(8) in + openssh-5.1. + * Avoid printing 'Non-public channel' warnings in sshd(8), since the + ssh(1) has sent incorrect channel numbers since ~2004 (this reverts + a behaviour introduced in openssh-5.1). + * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) + * Correct fail-on-error behaviour in sftp(1) batchmode for remote + stat operations. (bz#1541) + * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave + connections. (bz#1543) + * Avoid hang in ssh(1) when attempting to connect to a server that + has MaxSessions=0 set. + * Multiple fixes to sshd(8) configuration test (-T) mode + * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, + 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 + * Many manual page improvements. + ------------------------------------------------------------------- Mon Dec 1 15:43:14 CET 2008 - anicka@suse.cz diff --git a/openssh.spec b/openssh.spec index 71b0338..eff7c9f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -1,7 +1,7 @@ # -# spec file for package openssh (Version 5.1p1) +# spec file for package openssh (Version 5.2p1) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,8 +37,8 @@ Requires: /bin/netstat PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions Conflicts: nonfreessh AutoReqProv: on -Version: 5.1p1 -Release: 41 +Version: 5.2p1 +Release: 1 %define xversion 1.2.4.1 Summary: Secure Shell Client and Server (Remote Login Program) Url: http://www.openssh.com/ @@ -70,7 +70,6 @@ Patch43: %{name}-%{version}-default-protocol.diff Patch44: %{name}-%{version}-audit.patch Patch45: %{name}-%{version}-pts.diff Patch46: %{name}-%{version}-pam-fix4.diff -Patch47: %{name}-%{version}-strnvis.diff Patch48: %{name}-%{version}-forwards.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -162,7 +161,6 @@ Authors: %patch44 -p1 %patch45 %patch46 -p1 -%patch47 %patch48 cp -v %{SOURCE4} . cp -v %{SOURCE6} . @@ -294,7 +292,7 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) /usr/%_lib/ssh/sftp-server %attr(0755,root,root) /usr/%_lib/ssh/ssh-keysign %dir /etc/slp.reg.d -/etc/slp.reg.d/ssh.reg +%config /etc/slp.reg.d/ssh.reg /var/adm/fillup-templates/sysconfig.ssh %config %{_fwdefdir}/sshd @@ -304,9 +302,60 @@ rm -rf $RPM_BUILD_ROOT %attr(0755,root,root) /usr/%_lib/ssh/x11-ssh-askpass %doc %_mandir/man1/ssh-askpass.1x.gz %doc %_mandir/man1/x11-ssh-askpass.1x.gz -%config %_appdefdir/SshAskpass +%_appdefdir/SshAskpass %changelog +* Mon Feb 23 2009 anicka@suse.cz +- update to 5.2p1 + * This release changes the default cipher order to prefer the AES CTR + modes and the revised "arcfour256" mode to CBC mode ciphers that are + susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". + * This release also adds countermeasures to mitigate CPNI-957037-style + attacks against the SSH protocol's use of CBC-mode ciphers. Upon + detection of an invalid packet length or Message Authentication + Code, ssh/sshd will continue reading up to the maximum supported + packet length rather than immediately terminating the connection. + This eliminates most of the known differences in behaviour that + leaked information about the plaintext of injected data which formed + the basis of this attack. We believe that these attacks are rendered + infeasible by these changes. + * Added a -y option to ssh(1) to force logging to syslog rather than + stderr, which is useful when running daemonised (ssh -f) + * The sshd_config(5) ForceCommand directive now accepts commandline + arguments for the internal-sftp server. + * The ssh(1) ~C escape commandline now support runtime creation of + dynamic (-D) port forwards. + * Support the SOCKS4A protocol in ssh(1) dynamic (-D) forwards. + (bz#1482) + * Support remote port forwarding with a listen port of '0'. This + informs the server that it should dynamically allocate a listen + port and report it back to the client. (bz#1003) + * sshd(8) now supports setting PermitEmptyPasswords and + AllowAgentForwarding in Match blocks + * Repair a ssh(1) crash introduced in openssh-5.1 when the client is + sent a zero-length banner (bz#1496) + * Due to interoperability problems with certain + broken SSH implementations, the eow@openssh.com and + no-more-sessions@openssh.com protocol extensions are now only sent + to peers that identify themselves as OpenSSH. + * Make ssh(1) send the correct channel number for + SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to + avoid triggering 'Non-public channel' error messages on sshd(8) in + openssh-5.1. + * Avoid printing 'Non-public channel' warnings in sshd(8), since the + ssh(1) has sent incorrect channel numbers since ~2004 (this reverts + a behaviour introduced in openssh-5.1). + * Avoid double-free in ssh(1) ~C escape -L handler (bz#1539) + * Correct fail-on-error behaviour in sftp(1) batchmode for remote + stat operations. (bz#1541) + * Disable nonfunctional ssh(1) ~C escape handler in multiplex slave + connections. (bz#1543) + * Avoid hang in ssh(1) when attempting to connect to a server that + has MaxSessions=0 set. + * Multiple fixes to sshd(8) configuration test (-T) mode + * Several core and portable OpenSSH bugs fixed: 1380, 1412, 1418, + 1419, 1421, 1490, 1491, 1492, 1514, 1515, 1518, 1520, 1538, 1540 + * Many manual page improvements. * Mon Dec 01 2008 anicka@suse.cz - respect SSH_MAX_FORWARDS_PER_DIRECTION (bnc#448775) * Mon Nov 10 2008 anicka@suse.cz